Splunk Search

Adding time constraints on subsearches

attgjh1
Communicator

sourcetype="typea" "Change in Working IP" | join Equipment_ID overwrite=false [search sourcetype="typeb" ErrorType = "POWERDOWN" | top Equipment_ID | fields + Equipment_ID _time | rename _time as toggletime] | table _time toggletime Equipment_ID

here is my searchstring whereby my subsearch retrieves 'powerdown' error types from typeb sourcetype. returns it to typea which has events that changed IP addr. this is to check if the IP change is due to a powerdown(aka reboot).

however, im unsure if there is a constraint on the time window from my searchstring. i need some advice if this constraint is possible

timewindow: typeb's event must occur first before typea's events.

EDIT:
ive attempted to use join and it works. however, is there a way to constraint this Before events to within a specified timewindow instead now (e.g. A happens 5 min before B, reject late instances)?
and im having trouble converting toggletime's timestring("1339519632.644") back to actual time. using ctime() gives me a totally different value from its original 😞

Tags (1)
0 Karma
1 Solution

lguinn2
Legend

There is no time contstraint on the subsearch unless you set a time constraint. If you want to have the subsearch events within 5 minutes of the outer search events, try this

sourcetype="typea" "Change in Working IP" earliest=-65m | 
eval typea_time = _time |
join Equipment_ID overwrite=false usetime=true earlier=false max=0 
[search sourcetype="typeb" ErrorType = "POWERDOWN" earliest=-60m |
eval toggletime = _time
fields + Equipment_ID toggletime ] | 
where toggletime <= typea_time + 300 and toggletime > typea_time |
fieldformat typea_time = strftime(typea_time,"%x %X") |
fieldformat toggletime = strftime(toggeltime,"%x %X") |
table typea_time toggletime Equipment_ID 

One of the problems is that you are using the top command - what is the timestamp of the results of the top command?

The search above does a number of things to make the search more efficient and impose the time constraints that you want.

  1. The outer search is set to return events from the last 60 minutes, and the inner search returns events from the last 65 minutes. You could change this to other values; but this example shows you how to limit the search time ranges.
  2. The join options say that the inner search events must follow the outer search events; there is no way to set an absolute time range here, but at least the join will not generate events with typeb before typea.
  3. The where command actually tests that the typeb time is within 5 minutes after the typea time, and eliminates events that do not meet this criteria.
  4. Finally, I formatted the time fields to look better in the output.

View solution in original post

lguinn2
Legend

There is no time contstraint on the subsearch unless you set a time constraint. If you want to have the subsearch events within 5 minutes of the outer search events, try this

sourcetype="typea" "Change in Working IP" earliest=-65m | 
eval typea_time = _time |
join Equipment_ID overwrite=false usetime=true earlier=false max=0 
[search sourcetype="typeb" ErrorType = "POWERDOWN" earliest=-60m |
eval toggletime = _time
fields + Equipment_ID toggletime ] | 
where toggletime <= typea_time + 300 and toggletime > typea_time |
fieldformat typea_time = strftime(typea_time,"%x %X") |
fieldformat toggletime = strftime(toggeltime,"%x %X") |
table typea_time toggletime Equipment_ID 

One of the problems is that you are using the top command - what is the timestamp of the results of the top command?

The search above does a number of things to make the search more efficient and impose the time constraints that you want.

  1. The outer search is set to return events from the last 60 minutes, and the inner search returns events from the last 65 minutes. You could change this to other values; but this example shows you how to limit the search time ranges.
  2. The join options say that the inner search events must follow the outer search events; there is no way to set an absolute time range here, but at least the join will not generate events with typeb before typea.
  3. The where command actually tests that the typeb time is within 5 minutes after the typea time, and eliminates events that do not meet this criteria.
  4. Finally, I formatted the time fields to look better in the output.

attgjh1
Communicator

the top command is just limiting the number of equipment ID been sent to top 10. i've removed it.

thanks alot regarding the strftime!

i think its showing what i want now 🙂 gonna run it thru a couple more test data. Thanks!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...